1. Field of the Invention
The present invention relates to an authentication method for performing user authentication processing on a user of a terminal device, and a terminal device, a relay device and an authentication server for use in the method.
2. Description of the Related Art
The EAP-TTLS method has been known as an authentication method for performing user authentication processing, concealing a user ID in a WLAN.
The EAP-TTLS method is so constructed that a secure tunnel is established between a terminal device and an authentication server, and the terminal device transmits a user ID to the authentication server through the established secure tunnel.
The EAP-TTLS method, however, has a problem that the step of establishing a secure tunnel is redundant.
In order to solve this problem, the EAP-AKA method has been devised as a method of performing user authentication processing without establishing a secure tunnel. With reference to FIG. 15, the EAP-AKA method will be briefly described.
As shown in FIG. 15, for initial user authentication processing, in step S1001, a terminal device 100 transmits authentication information including a user ID to an authentication device (relay device) 200A. In step S1002, the authentication device 200A forwards the authentication information to an authentication server 300A.
In step S1003, the authentication server 300A performs user authentication processing on a user of the terminal device 100, based on the authentication information received, and then generates a temporary ID (temporary user ID) for the user of the terminal device 100.
In step S1004, the authentication server 300A communicates the temporary ID to the authentication device 200A, and in step S1005, the authentication device 200A communicates the temporary ID to the terminal device 100.
Subsequent user authentication processing is performed in the authentication server 300A based on authentication information including the temporary ID transmitted from the terminal device 100.
User authentication processing using the conventional EAP-AKA method, however, has a problem that it does not work well when implemented by a plurality of authentication servers because each authentication server does not hold associations between user IDs and temporary IDs issued by the other authentication servers.
Referring to FIG. 15, this problem will be described in detail.
In step S1006, the terminal device 100 transmits authentication information including the temporary ID issued by the authentication server 300A to the authentication device 200A. In step S1007, the authentication device 200A forwards the authentication information to an authentication server 300B.
In this case, in step S1008, since the authentication server 300B does not hold the association between the temporary ID included in the received authentication information and the user ID, it cannot perform user authentication processing on the user of the terminal device 100 based on the authentication information.
Therefore, in step S1009, the authentication server 300B communicates an authentication result (NG) to the authentication device 200A accordingly. In step S1010, the authentication device 200A communicates the authentication result (NG) to the terminal device 100.
As a result, in steps S1011 to S1015, the terminal device 100 must perform another initial user authentication processing to obtain a temporary ID issued by the authentication server 300B.
If there are other authentication servers 300, the terminal device 100 needs to obtain a temporary ID issued by each authentication server 300 in order to selectively use a temporary ID with respect to an authentication server which is to perform user authentication processing.